MaraDNS security update

December 2 2013

While looking over the source code to Deadwood, I discovered that
Deadwood 3 releases before Deadwood-3.2.03d have a security
issue caused by a programming error I made.

Under certain exceptional circumstances, it may have been possible to
perform a blind spoofing attack against unpatched releases of Deadwood.
The IP performing the blind spoofing attack needs to appear to have
permission to perform full recursion with Deadwood in order to carry
out the attack.

Upgrading will fix the bug. Then again, administrators who already
perform good practices, making sure that only authorized IPs can use
Deadwood recursively (pretty much mandatory in light of DNS amplification
attacks) will only be affected by this bug if either a machine with an
authorized IP is compromised, or if it is possible for the attacker to
send the Deadwood server a packet with a spoofed IP.

This update was released today. MaraDNS 2.0.07d,
Deadwood 3.2.03d, and MaraDNS 1.4.13 are patched against this bug.
Deadwood 2.3.08 is not affected by this bug.